The technical field is directed to I/O systems including an I/O device being coupled to a processor or server comprising the memory. The processor and the I/O device may be coupled by an I/O bus. As an interface to the I/O bus, an I/O bridge may be used or the processor may comprise an I/O Memory-Managed Unit (I/O MMU). The memory may be controlled by a dedicated memory controller.
In secure I/O systems traditionally, the processor and the I/O bridge are provided by the same vendor. In order to separate the I/O devices from each other, each I/O device is connected to the I/O bridge with a separate I/O link, in particular PCI Express. The I/O bridge contains logic that translates the addresses used by the I/O device into system addresses. As the I/O bridge and the firmware are provided by the same vendor, he can ensure that there is no possibility to corrupt the address translation such that the device can access addresses that it should not access.
With the consolidation towards PCI Express and to reduce latency and system complexity, I/O systems are moving towards using just an MMU integrated in the processor I/O complex. However, the MMU there has the disadvantage that it is shared between all I/O devices connected to its I/O link. Therefore, the I/O devices have to share the translation cache of the MMU which may increase space requirements and may create the problem of cache thrashing. To alleviate this problem, the PCIe AT extensions for address translation may allow the I/O devices to request an address translation from the PCIe root complex and to store it in a local cache. The I/O device can then use the translation later on and may use a bit in the header to indicate in the transfer that the address has already been translated, such that the I/O root complex may directly use the address provided by the I/O device.
The problem for secure systems is that there is no possibility to check whether the translated address has not been changed by the I/O device. Therefore, to use this scheme, the processor vendor needs to trust the switch and device vendor that they are not using different system addresses than provided by the root complex.
Growing network speed leads to the use of so-called Remote Direct Memory Access Network Interface Adapters (RNICs). RNICs allow a placement of data received from a network directly into the memory or application memory of a processor or a server. As indicated above, the problem for a vendor of such a processor or server including said memory is that they have to trust the correct implementation of the protection mechanism in the RNIC.
Conventionally, address translation protection is either implemented in the driver software or in hardware as a part of the I/O system.
Both may be developed, produced and verified by the server vendor who takes responsibility for the dependable operation of the entire I/O system, including the I/O device and the application. An error in the I/O device may only harm the application in a limited way, in particular it may receive corrupted I/O data in the expected location.
An RNIC writes or reads I/O data and I/O-related control information. for example completion signals, directly to memory locations shared with the application when using virtual addresses.
In most computers or servers, the virtual address of an application is translated into a real address. This allows a dynamic allocation of memory to several applications while maintaining a contiguous address base for each application. Therefore, the address used by an RNIC has to be translated with the same mechanism.
Therefore, memory locations accessed by an RNIC may be distributed in the entire memory. If the computer or server wants to protect these memory accesses, it needs to do an extra check to each access. Since these accesses may be widely distributed with little locality, caches may not help much to reduce the overhead for the server-side check. Furthermore, extra server-side checks create extra memory bandwidth, system cost and power consumption and may reduce the system performance.
Accordingly, it is an aspect of the present invention to provide an improved secure Remote Direct Memory Access (RDMA) of a memory of a processor.